IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Hugo Landau <hlandau@devever.net> Tue, 24 November 2015 10:17 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8601B2F1E for <acme@ietfa.amsl.com>; Tue, 24 Nov 2015 02:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.586
X-Spam-Level:
X-Spam-Status: No, score=-2.586 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNJ9itS-7Fef for <acme@ietfa.amsl.com>; Tue, 24 Nov 2015 02:17:20 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2391B2F1D for <acme@ietf.org>; Tue, 24 Nov 2015 02:17:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 2CF681C0D8 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:19 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1448360239; x=1466549600; bh=UywG0DCv3GyDU7kYK7AYTwCZkI/m62P2b0eeH76pvEM=; b= LZ9a40oN67/DD9f5C2hcd1pEocmPbkCVFKDhHiUlVa/8Z2tPxkjaItjvPRaWWEZJ KwqmNcGfTiYDl+Z9kok7VBrYY+5c/5CC1h52oOlWnjO/c53AtCJsw18xNPkLdaNa TNtlyldxNzAwJw1XiN9tzKohlzGnaSkqSCzv1Xe/RfSvw/RpKsZ5J/C5QbycAEu+ Cr38coOXmHcpcYbOqipIh2jni2Smc4YOSTLYv/muoLY79h7tW4pQnN19FziOek0f X77iCCDDcFav1TGhf86dqnWgdYsQ+vesNqLmNLGNSuiwxSjsEB4pZSOqWevb63x2 VCh/tfingXEKhj11BjgkLg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id s_tlOrzbH3c6 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:19 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id F075D1C081 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:18 +0100 (CET)
Date: Tue, 24 Nov 2015 10:17:18 +0000
From: Hugo Landau <hlandau@devever.net>
To: acme@ietf.org
Message-ID: <20151124101718.GA18565@andover>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/33w4bud4-EpfaEg8GjojkbByGIc>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 10:17:22 -0000

On Mon, Nov 23, 2015 at 09:52:07AM -0800, Martin Thomson wrote:
> Could we ask IANA for a reserved system port (<1024)?  Then it would
> be possible for an ACME client to operate without disturbing running
> services.

I wrote this on the github issue, but should have posted it here:

It seems like there is a clear roadmap for doing this securely:

  - Register a new port <1024 with IANA, exclusively for the purposes of
    ACME challenge. The semantics of this port is that control of it is
    deemed to constitute control of the system.

  - Might want to require that TLS be used on this port; otherwise you
    have the possibility that either HTTP or TLS (either for HTTP or
    DVSNI) is running on the port. These sorts of ambiguities should be
    avoided. It also allows this "hostmaster" port to be extended for
    other purposes at a later time via ALPN.

  - Allow either port 443 or that port to be used.

  - Arguably, one should not even allow the use of port 443 if this port
    is open. Note that use of 443 has already proven a problem once with
    the vulnerabilities in the dvsni challenge mechanism w.r.t. common
    hosting configurations.

v2.23.0 | Report a Bug | By Email